<html>
<head><meta charset="utf-8"><title>Relying on max slice length · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html">Relying on max slice length</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="220034883"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220034883" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tyson Nottingham <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220034883">(Dec 15 2020 at 20:09)</a>:</h4>
<p>Is the max u8 slice/array length of <code>isize::MAX</code> part of the specification of the language (though I know a spec doesn't really exist), or is it just an implementation detail?</p>
<p>Asking because have a PR in which I sum the lengths of two slices, and there was a concern about overflow. I'm wondering if I can definitively say that overflow won't happen.</p>



<a name="220035730"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220035730" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220035730">(Dec 15 2020 at 20:15)</a>:</h4>
<p>well even without spec support, there is an architectural limit, at least on 64 bit architectures</p>



<a name="220036570"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220036570" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220036570">(Dec 15 2020 at 20:21)</a>:</h4>
<p>The <code>isize::MAX</code> bound is mentioned in the rust reference <a href="https://doc.rust-lang.org/reference/types/numeric.html">here</a>, which is the closest thing we currently have to a spec</p>



<a name="220036791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220036791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220036791">(Dec 15 2020 at 20:22)</a>:</h4>
<p>AFAIU array indexing is compiled to get-pointer-inbounds on LLVM, and this uses signed indexes and is UB on overflow, so it's not possible to compile larger indexing operations</p>



<a name="220036845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220036845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tyson Nottingham <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220036845">(Dec 15 2020 at 20:23)</a>:</h4>
<p><code>This ensures that isize ... can address every byte within an object along with one byte past the end.</code></p>
<p>Yeah, I think that's probably definitive enough. Thanks <span class="user-mention" data-user-id="271719">@Mario Carneiro</span></p>



<a name="220037420"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220037420" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220037420">(Dec 15 2020 at 20:27)</a>:</h4>
<p><span class="user-mention silent" data-user-id="306073">Tyson Nottingham</span> <a href="#narrow/stream/136281-t-lang.2Fwg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length/near/220034883">said</a>:</p>
<blockquote>
<p>Is the max u8 slice/array length of <code>isize::MAX</code> part of the specification of the language (though I know a spec doesn't really exist), or is it just an implementation detail?</p>
<p>Asking because have a PR in which I sum the lengths of two slices, and there was a concern about overflow. I'm wondering if I can definitively say that overflow won't happen.</p>
</blockquote>
<p>It's in the safety section for <code>from_raw_parts</code>, so...<br>
<a href="https://doc.rust-lang.org/std/slice/fn.from_raw_parts.html#safety">https://doc.rust-lang.org/std/slice/fn.from_raw_parts.html#safety</a></p>



<a name="220044361"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220044361" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> scottmcm <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220044361">(Dec 15 2020 at 21:23)</a>:</h4>
<p>(I wish we had a type for it, like we do with NonNull, though)</p>



<a name="220051356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220051356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220051356">(Dec 15 2020 at 22:21)</a>:</h4>
<p>You mean like <code>u63</code>?</p>



<a name="220052034"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220052034" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220052034">(Dec 15 2020 at 22:27)</a>:</h4>
<p>glibc also refuses to allocate more than <code>PTRDIFF_MAX</code>, since 2.30</p>



<a name="220052060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220052060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> cuviper <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220052060">(Dec 15 2020 at 22:27)</a>:</h4>
<p>maybe you could still <code>mmap</code> a huge size</p>



<a name="220092250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220092250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220092250">(Dec 16 2020 at 09:14)</a>:</h4>
<p><span class="user-mention" data-user-id="306073">@Tyson Nottingham</span> I am inclined to answer "no" until the lang-team explicitly FCP's this.</p>



<a name="220092296"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220092296" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220092296">(Dec 16 2020 at 09:15)</a>:</h4>
<p>All <em>currently existing</em> u8 slices (<code>&amp;[u8]</code>, not <code>*const [u8]</code>) will have a max length of <code>isize::MAX</code>. But there is no promise being made that this will remain true in the future.</p>



<a name="220092386"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220092386" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220092386">(Dec 16 2020 at 09:16)</a>:</h4>
<p>The docs just say that <code>isize::MAX</code> slices can be created (that falls out of backwards compatibility), but that's not an "if-and-only-if" statement.</p>



<a name="220171107"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying%20on%20max%20slice%20length/near/220171107" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tyson Nottingham <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Relying.20on.20max.20slice.20length.html#220171107">(Dec 16 2020 at 20:50)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> , thanks. It's easy enough to avoid the overflow in my case, though there's a slight effect on perf.</p>
<p>It may be worth auditing the std lib if a decision is made to make the maximum larger than <code>isize::MAX</code>. The overflow case I was referring to above is actually a pre-existing issue in <code>BufWriter</code>. It might be that other code is relying on the current slice maximums (and probably some that isn't paying attention to overflow at all).</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>